One was recently discovered large-scale malware campaign involving 190 apps, which in turn have been installed 9.3 million times. The campaign aimed to inoculate the Trojan “Android.Cynos.7.origin” (as Dr.Web detects it), derived from the Cynos malware, in order to exfiltrate sensitive user data. At the time of writing, the danger has returned, and the identified apps have all been removed from the AppGallery store.
Countryside has in fact targeted Huawei’s AppGallery (which can be installed on any Android smartphone) and not the Google Play Store often natively installed on smartphones and tablets. Dr.Web has published the complete list of vulnerable apps, which is useful for checking whether each individual user has suffered from the malware campaign. While Huawei has promptly removed dangerous apps from its store, users must remove them from their smartphone to avoid further risks of data loss.
Malware campaign targets Huawei’s AppGallery: 190 apps were involved
Threat writers have hidden their malware in several Android apps between games such as platform, arcade, real-time strategy and shooter. Many of the apps were localized in Russian, Chinese or even English, as far as the international versions are concerned. Since all the apps performed the promised functionality perfectly, it was difficult for users to guess the malicious aspect. Among the most popular apps we mention Hurry up and hide, with over 2 million downloads, Cat Adventures (400 mila downloads), Drive School Simulator (more than 140 thousand downloads), but the complete list is very long.
This variant of the Cynos Trojan can perform various malicious activities, including the SMS message monitoring or the downloading and installing other malicious code: “Android.Cynos.7.origin is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them, and a platform known since at least 2014”, explained Dr.Web analysts in the published document. “Some of its versions have quite aggressive features: they send premium SMS, intercept incoming SMS, download and start additional modules and download and install other apps.” In the recent case on AppGallery, however, the main features involved the collection of information about users and their devices, as well as the display of advertisements.
The aggressive nature of the Trojan could be recognized by the most attentive users right from the installation, since the games required permission to carry out activities not generically associated with a video game, such as the ability to make phone calls or detect the location of users.
Huawei has already commented on the incident, releasing a note to the international press that we freely translate below:
“AppGallery’s built-in security system quickly identified the potential risk within these apps. We are now actively working with relevant developers to fix issues in their apps. Once we confirm that the apps are all secure, they will be re-posted on the AppGallery so that consumers can download them again without risk.
Protecting network security and user privacy is Huawei’s top priority and we welcome any third-party oversight and feedback to ensure we deliver on this commitment. We will continue to work closely with our partners and, at the same time, to use the most advanced and innovative technologies to safeguard the privacy of our users. “